An example of Windows 2000 security maintenance and error solving

Computer security not only protects local computer data, but also protects data on the network. An excellent operating system can identify the persons who attempt to access computer resources, prevent users from accessing specific resources improperly, and provide users with simple and effective methods to set and maintain computer security. At present, PC users often use Windows. Compared with previous versions, Windows 2000 based on the NT platform technology has greatly improved stability and security. The following uses Windows 2000 Professional as an example to describe how to solve an application problem.
I. Windows 2000 Security Functions
1. user accounts and account groups
Ensure that only authorized users can access the computer and effectively manage the permissions and permissions of specific tasks, such as folder access permissions. The built-in system group allows most users to obtain all the user rights and permissions required to execute their respective tasks. Manage the user and password in the control panel ".
2. Share folder Permissions
By granting shared folder permissions to any folder, you can restrict or allow access to these folders through the network. Set through the project property menu. By default, when a shared directory is added to Windows 2000, the operating system automatically adds the EveryOne user group to the permission module, because the default permissions of this group are fully controlled, as a result, anyone can read and write the shared directory. Therefore, after creating a shared directory, immediately delete the EveryOne group or change the group's permissions to read.

3. Functions of NTFS file systems that are more secure than FAT and FAT32:
The disk quota service can control the disk space that each user can use;
Allows you to set file or folder permissions, restrict or allow access to users or groups, and specify access types, that is to say, you can restrict the files that can be read and written by each user to any folder in the disk directory. If you want to share a folder on the NTFS drive without special settings, the NTFS folder access permission is valid on both the local machine and the network;
NTFS also supports the owner to encrypt files and folders to better protect information.
We recommend that you use NTFS disk partitioning.
4. Printer permission
Restrict user access by assigning printer permissions. Three permissions are available: print documents, manage documents, and manage printers. Set through the project property menu.
5. Review
You can use audit trails to access accounts of files or other objects, as well as user logon attempts, shutdown or restart the system and other specified events. Before a review, you must use the Group Policy to specify the event type to be reviewed. For example, to audit a folder, you must first enable "Audit Object Access" of "Audit Policy" in "group policy ". Next, you can set audit as you set permissions: select an object such as a file or folder), and then select the user and group for which you want to review its operations. Finally, select the action you want to review, for example, try to open or delete a restricted folder. Review successful and failed attempts. You can use Event Viewer to view security logs to track audit activities. The audit mechanism for disk access can only be applied to the NTFS file system. The audit mechanism should be used for all users to be reviewed.
6. User Rights
User Rights are rules used to determine whether a user can perform operations on a computer. In addition, the User Rights control whether the user can be directly on the Local Computer) or log on to the computer through the network, add the user to the Local Group, delete the user, and so on. The built-in group has a set of user rights that have been assigned. In general, the Administrator assigns user rights by adding user accounts to a built-in group, or by creating a new group and assigning specific user rights to the group. Then, the user added to the group automatically obtains all the user rights assigned to the group account. User Rights are managed by group policies.

7. Other Local Security Settings
Allows the security administrator to configure the security level assigned to the "Group Policy" object or local computer policy. The Local Security Policy is used to configure the security settings of the local computer. These settings include password policy, account lock policy, Audit Policy, IP Security Policy, user permission assignment, data encryption recovery proxy, and other security options. Because local security policies are mainly set for local users, they are only available on Windows 2000 computers that are not domain controllers.
The preceding four features are commonly used and easy to set. security settings such as review and user rights are complicated to use, but the features are indeed very powerful. Users can make in-depth and meticulous adjustments to system operation parameters, until the individual needs are fully met. For example:
* It is useful to prevent malicious attacks from the lan. You can obtain the location and number of times of remotely attempting to log on to an account and cancel the remote logon permission of an account.
* You can control your resources in a policy. For example, you cannot access a local drive or optical drive from the network, whether or not you are set to share permissions.
* Using security policies to protect data makes it difficult or impossible for attackers to crack data. A combination of algorithms and keys is used to protect information. Windows 2000 provides a high security level by using encryption algorithms and keys.
Windows 2000 security settings are mainly performed in "Local Security Policy. Click Start, point to program, point to administrative tools, and click Local Security Policy. Its settings include:
* Account policy: password and account lock Policy
* Local Policies: audit, user rights, and security option policies
* Public Key Policy IP Security Policy): Internet Protocol Security (IPSec) management. The IPSec Policy is a management policy for secure communication with other computers.
It is best to have guidance from a senior administrator.
2. An error occurred while setting local security policies: solution and further suggestions
1. If you do not pay attention to the Local Security Policy setting process, it will cause a lot of trouble. Example:
An error occurred while setting Windows 2000 Professional. In the local policy, set the "Deny local Logon" project of "User Privilege assignment" to "Users, guests, EveryOne ". As a result, the user cannot log on again after logout, and the system prompts "no interactive session can be performed ". If the setting item contains "EveryOne", all accounts are not allowed to log on.

Solution: in Windows 2000, the data record of the current local SECURITY settings is stored in the config directory under system32 in the Windows System directory. The file name is SECURITY. You can log on normally only after correct modification. For simplicity, use the initial system configuration to overwrite it. Because the machine uses the FAT32 format and starts with a clean Win98 floppy disk, the SECURITY file under the repair subdirectory of the Windows directory is copied to config to overwrite the error file. Logon is normal. Correct settings are as follows:

If the machine uses the NTFS format, you must use Windows 2000 to install a floppy disk or the installation disc to start. To prevent the startup disk from being found immediately after a similar fault, you can apply the Windows 2000 fault recovery console feature to solve the problem quickly.
2. Windows 2000 fault recovery console
The Windows 2000 fault recovery console is a command line console that can be started from the Windows 2000 installer. Using the fault recovery console, You can execute many tasks without starting Windows 2000 from the hard disk, start and stop services, and format the drive, read/write data on the local drive, including the drive formatted as NTFS), and perform many other management tasks. The Recovery Console is particularly useful if you need to repair the system by copying a file from a floppy disk or CD-ROM to a hard disk, or if you need to reconfigure a service that blocks normal computer startup. The fault recovery console is very powerful and can only be used by advanced users familiar with Windows 2000. You must be an administrator to use the fault recovery console.
You can install a disk on Windows 2000 or run the fault recovery console on Windows 2000 Professional CD. As an alternative, you can install the fault recovery console on your computer to solve the problem when Windows 2000 cannot be restarted. In this case, you only need to select the Windows 2000 fault recovery console option from the boot menu. After the fault recovery console is started, you must select the drive to be logged on if there is a dual boot or multi-boot system) and log on with the administrator password.
The fault recovery console provides a command line to change the system when Windows 2000 is not started. Once you run the fault recovery console, type "help" at the command prompt to get help on available commands. To restart the computer, type exit to close the Command Prompt window.
Install the fault recovery console as a startup option so that it can run when the computer cannot be restarted. Install as the startup option: log on to Windows 2000 as an administrator or user with administrator privileges. Insert the Windows 2000 Professional disc into the CD-ROM drive. If you are prompted to upgrade to Windows 2000, click "no ". From a command prompt or from the "run" command box in Windows 2000, type the path pointing to the corresponding Winnt32.exe file in the Windows 2000 CD), followed by a space and/cmdcons switch option. For example:
E: \ i386 \ winnt32.exe/cmdcons
Follow the prompts.
The fault recovery console is installed in the \ Alibaba cons folder under the root folder, including the Cmldr file in the root folder. The Boot. ini file contains the Boot entry of the fault recovery console.
The security of Windows 2000 is undoubtedly very high. However, if you do not pay attention to it during daily use, the vulnerability still exists, such as the problems caused by the user. For general users, I suggest hiding the local security policies in the control panel management tools to avoid improper use. When necessary, you can start Local Security Policy settings from the command line [Command Format: c: \ winnt \ system32 \ secpol. msc/s.